Details of VAR-201910-1249

ID

VAR-201910-1249

CVE

CVE-2019-15849

TITLE

eQ-3 HomeMatic CCU3 Firmware session fixation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-011120

DESCRIPTION

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system. eQ-3 Homematic CCU3 is a central control unit for a smart home system from German eQ-3 company

Trust: 2.16

sources: NVD: CVE-2019-15849 // JVNDB: JVNDB-2019-011120 // CNVD: CNVD-2020-14282

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-14282

AFFECTED PRODUCTS

vendor:	eq 3	model:	homematic ccu3	scope:	eq	version:	3.14.11	Trust: 1.6
vendor:	eq 3	model:	ccu3	scope:	eq	version:	3.41.11	Trust: 0.8
vendor:	eq 3	model:	eq-3 homematic ccu3	scope:	eq	version:	3.41.11	Trust: 0.6
vendor:	eq 3	model:	homematic ccu3	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-14282 // JVNDB: JVNDB-2019-011120 // CNNVD: CNNVD-201910-1186 // NVD: CVE-2019-15849

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-15849
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-15849
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-14282
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-1186
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2019-15849
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-14282
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-15849
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2019-15849
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-14282 // JVNDB: JVNDB-2019-011120 // CNNVD: CNNVD-201910-1186 // NVD: CVE-2019-15849

PROBLEMTYPE DATA

problemtype:

CWE-384

Trust: 1.8

sources: JVNDB: JVNDB-2019-011120 // NVD: CVE-2019-15849

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1186

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201910-1186

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011120

PATCH

title:	HomeMatic	url:	https://www.eq-3.com/products/homematic.html	Trust: 0.8
title:	Patch for eQ-3 Homematic CCU3 Session Fixing Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/205347	Trust: 0.6

sources: CNVD: CNVD-2020-14282 // JVNDB: JVNDB-2019-011120

EXTERNAL IDS

db:	NVD	id:	CVE-2019-15849	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-011120	Trust: 0.8
db:	CNVD	id:	CNVD-2020-14282	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1186	Trust: 0.6

sources: CNVD: CNVD-2020-14282 // JVNDB: JVNDB-2019-011120 // CNNVD: CNNVD-201910-1186 // NVD: CVE-2019-15849

REFERENCES

url:	https://noskill1337.github.io/homematic-ccu3-session-fixation	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-15849	Trust: 2.0
url:	https://www.eq-3.com/products/homematic.html	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15849	Trust: 0.8

sources: CNVD: CNVD-2020-14282 // JVNDB: JVNDB-2019-011120 // CNNVD: CNNVD-201910-1186 // NVD: CVE-2019-15849

SOURCES

db:	CNVD	id:	CNVD-2020-14282
db:	JVNDB	id:	JVNDB-2019-011120
db:	CNNVD	id:	CNNVD-201910-1186
db:	NVD	id:	CVE-2019-15849

LAST UPDATE DATE

2024-11-23T22:11:47.340000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-14282	date:	2020-02-28T00:00:00
db:	JVNDB	id:	JVNDB-2019-011120	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1186	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2019-15849	date:	2024-11-21T04:29:36.500

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-14282	date:	2020-02-28T00:00:00
db:	JVNDB	id:	JVNDB-2019-011120	date:	2019-10-29T00:00:00
db:	CNNVD	id:	CNNVD-201910-1186	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2019-15849	date:	2019-10-17T14:15:10.760